Below are highlights of the top stories for June. There is more detail on each below, as well as on our weblog at http://www.acm.org/usacm:

* USACM released policy recommendations for ensuring privacy in the collection, storage and use of personal information when designing systems or setting policy.

* David Bruggeman joins the ACM Policy Office as its Public Policy Analyst.

* USACM joins the Computing Research Association in applauding increases in science funding by Congress.

* USACM Chair Eugene Spafford testified on ways to improve cybersecurity at the Department of Veteran’s Affairs in the wake of the recent data breach of personal information on 26.5 million veterans.

* Both the Senate and the House of Representatives focused on digital rights management mandates while considering legislation.

* At the Computing Research Association’s Snowbird Conference, Rick Rashid, head of Microsoft Research, presented his thoughts on the image of computing.

[2] USACM Releases Privacy Policy Recommendations

With security breaches revealing millions of personal records, new surveillance programs being adopted by law enforcement, calls for data to be retained longer by Internet Service Providers, the role of privacy and technology is very much on the minds of policymakers. The most common refrain from advocates is for Congress to enact a comprehensive privacy framework instead of addressing privacy issues on an ad hoc basis as it typically does. USACM’s recommendations for this framework focus on seven basic areas: minimization, consent, openness, access, accuracy, security, and accountability. Below is the the background released with the statement. For the complete statement, including the 24 specific recommendations spread among the seven areas noted above, please see:

Current computing technologies enable the collection, exchange, analysis, and use of personal information on a scale unprecedented in the history of civilization. These technologies, which are widely used by many types of organizations, allow for massive storage, aggregation, analysis, and dissemination of data. Advanced capabilities for surveillance and data matching/mining are being applied to everything from product marketing to national security.

Despite the intended benefits of using these technologies, there are also significant concerns about their potential for negative impact on personal privacy. Well-publicized instances of personal data exposures and misuse have demonstrated some of the challenges in the adequate protection of privacy. Personal data — including copies of video, audio, and other surveillance — needs to be collected, stored, and managed appropriately throughout every stage of its use by all involved parties. Protecting privacy, however, requires more than simply ensuring effective information security.

The U.S. Public Policy Committee of the Association for Computing Machinery (USACM) advocates a proactive approach to privacy policy by both government and private sector organizations. We urge public and private policy makers to embrace the following recommendations when developing systems that make use of personal information. These recommendations should also be central to any development of any legislation, regulations, international agreements, and internal policies that govern how personal information is stored and managed. Striking a balance between individual privacy rights and valid government and commercial needs is a complex task for technologists and policy makers, but one of vital importance.

USACM does not accept the view that individual privacy must typically be sacrificed to achieve effective implementation of systems, nor do we accept that cost reduction is always a sufficient reason to reduce privacy protections. Computing options are available today for meeting many private sector and government needs while fully embracing the recommendations described above. These include the use of de-identified data, aggregated data, limited datasets, and narrowly defined and fully audited queries and searches. New technologies are being investigated and developed that can further protect privacy. USACM can assist policy-makers in identifying experts and applicable technologies.

[3] David Bruggeman Joins USACM Policy Office

David Bruggeman joined ACM in June as our Public Policy Analyst, where he will be working on a wide range of technology policy issues. He is currently working on his Ph.D in Science and Technology Studies (with a concentration in Politics and Policy) at Virginia Tech. He has previously worked for the National Academies (in the Committee on Science, Engineering and Public Policy, the Government-University-Industry Research Roundtable and the Forum on Information Technology and Research Universities). He also interned in the satellite division of the National Oceanic and Atmospheric Administration.

David takes over for David Padgham who left the office for a position at the Computer Science and Telecommunications Board of the National Academies.

David Bruggeman can be reached via e-mail at david.bruggeman AT acm.org.

[4] USACM’s Chair Testifies on VA Data Breach

Testifying before the House Veterans’ Affairs Committee about the recent databreach at the Veterans Affairs (VA) Department, Eugene Spafford argued that this breach was a policy problem rather than a technology one. His full testimony can be found at:

Noting that government, industry and academia all have systemic problems with how accountability is built into information security policies, two problems commonly emerge when looking at the VA issue:

“1. There is no centralized point of authority to ensure that rules, procedures and good practices are instituted and observed. There are good people at the VA who understand what needs to be done, and many of them try to do the right thing. However, there is no centralized position that has all three components necessary to effectively manage information security: resources, accountability, and authority. There should be a CIO or CISO (Chief Information Security Officer) who has adequate funding and trained personnel to carry out a comprehensive security plan. That office (and management above it) also must be held accountable for failures to satisfy necessary standards and success- fully pass audits. Last of all, that same office must have authority to make changes, shut down systems (if necessary), and terminate employees for cause. Accountability without authority means the position is simply a focus for blame when failures occur; authority without resources means that only limited organizational problems can be fixed; and resources without accountability may simply lead to fraud, waste and abuse.

2. An employee or contractor makes an arbitrary decision to violate security policies so as to make his job easier. This is done without understanding why the policy is structured as it is, and without understanding the potential consequences of the violation until it is too late, if even then. Unfortunately, we see this happening all the time, and it is usually the case that — even if detected — no sanctions are imposed so long as the work gets done and nothing untoward appears to happen. This builds a climate of contempt for the policies, and the mistaken belief that end-users are capable of making policy decisions involving enterprise security. If something untoward does happen, often the guilty parties are scolded, but nothing further occurs: an attitude of “failures are commonplace” overrides any thought of holding guilty parties fully accountable.”

These points were clearly heard by the members of the committee. Several members, including the Chairman, expressed support for a “comprehensive” fix to the security policies, not just reactive solutions, such as credit monitoring.

[5] Computing Community Leaders Praise House Appropriators for Increasing Research Funding to Aid Competitiveness

USACM and the Computing Research Association released a joint statement regarding Congress’ support of increased research funding. They commended Rep. Frank Wolf and his colleagues on the House Appropriations Subcommittee for Science, State, Justice and Commerce for fully supporting the President’s American Competitiveness Initiative (ACI) in legislation passed by the House of Representatives. We have included excerpts below. For the full statement, please see:

The bill would provide an 8 percent increase in research funding at the National Science Foundation — an increase of $439 million over last year’s level and an additional $104 million increase to the core laboratories of the National Institute of Standards and Technology. Both increases are key parts of the ACI proposed by the President in his State of the Union address last January.

“Chairman Wolf and his committee have created a historic opportunity to secure the Nation’s leadership in research in information technology and other physical sciences,” said Daniel A. Reed, Director of the Renaissance Computing Institute at the University of North Carolina and Chair of the Computing Research Association. “By acting to fulfill the promise of ACI, the subcommittee has made a down payment on America’s future competitiveness.”

“We applaud this decisive action and are pleased that the legislation responds to our advice about making a serious statement about fostering innovation in America,” said Eugene Spafford, Director of the Center for Education and Research in Information Assurance at Purdue University and Chair of the Association for Computing Machinery’s U.S. Public Policy Committee (USACM). “The computing research field is a crucial example of how federal investment in fundamental research drives economic growth. These increases would reverse a lengthy trend of flat or declining budgets in computing research that threaten to put future innovation at risk.”

[6] Congress Turns Attention to DRM Mandates

Recently both the Senate and the House of Representatives considered video and audio flags in legislation and hearings.

In Senate action on the video flag, a key committee considered a broad telecommunications proposal, part of which would enact the FCC rulemaking on the broadcast flag – outlawing any receiver or downstream technology that fails to comply with certain technology restrictions. This limits technology development, raises likely compatibility problems with pre-existing technology; and while there are some carve-out exemptions, it restricts activities typically considered fair use of copyrighted material. It also passed provisions dealing creating a new federal advisory committee to study and propose a new audio flag for digital audio broadcasts. The committee that has one year to develop regulations. If they fail to achieve a consensus, the FCC may act without restriction. While the telecommunications bill has passed out of committee, Chairman Stevens (R-Alaska) does not expect the bill to reach the floor prior to September.

In House action, The Telecommunications and the Internet Subcommittee of the Energy and Commerce Committee held a hearing on the audio and video flags, with representatives from both content providers and broadcasters called to testify. Most of the hearing focused on the audio flag, as it is the focus of HR 4861, the Audio Broadcast Flag Licensing Act of 2006. There was disagreement on many points. Not everyone felt it was time to develop an audio flag, given that the HD radio industry was still emerging. Each side in the debate accused the others of stalling or otherwise acting in bad faith. Others felt that the legislation would undercut existing fair use provisions regarding home recording. Content providers argued that it would not, as they had no issue with timeshifting or recording during broadcast. The subcommittee seemed committed to some kind of action, with members urging the parties to move forward and develop a standard (with the device manufacturers at the table) or Congress would do it for them. Discussion on the video and broadcast flags was not as contentious, with discussion covering the need for an exemption for news and public affairs programs, and the claims that the video flag is anti-consumer (for many of the same reasons listed above). Further action on this legislation is also not expected prior to the summer recesses.

[7] Snowbird Conference: The Image of Computing

At the Computing Research Association’s biennial Snowbird conference on the state of research in the field, one of the sessions was about the image of computing with Rick Rashid, head of Microsoft Research, talking about how we need to get the romance of computing back.

He started with a humorous video from 1994 showing the incredible optimism stemming from the digital “superhighway” and the so-called “convergence” of telecommunications, computing and media forces. This optimism translated into a spike in interest in majoring in CS. He contrasted this against the boundless pessimism we saw in 2002 with the media drumbeat about the end of the field. This, of course, manifested itself as a sharp drop in interest in majoring in CS. He outlined three factors that are driving the declining image of computing:

* CS careers are seen as unattractive by young people (they are geeky)
* CS careers are seen as not financial rewarding (losing jobs to offshoring)
* CS is seen as gender biased against women and minorities

To rebut some of the image issues, he presented detailed slides of open positions and salary data showing the strength of the job market. Further, that hiring at Microsoft and its competitors is up by 30 percent. He also outlined some of the activities different computing societies are undertaking to help shape the field’s image, and argued that a recent Money magazine report that showed software engineer as the #1 job in America was a positive sign.

He also asked, why should we care? For Microsoft, they are already having problems finding talent. Declining enrollments and graduation rates will exacerbate this problem. He laid out the mid- and long-term impacts – CS education programs will shutter and US-based IT companies will increasingly looking toward global talent to fill their needs. He argued that the pipeline for undergraduates is already drained and it will soon be for graduate students.

While he argued that we are making some progress, the overarching goal should be to get the romance of computing back. He talked about restoring a sense of wonder and projecting the boundless opportunities of computing. This implies a much more emotional connection to computing. He also pointed out some “sense of wonder” technologies. Finally he argued that with a relatively short a 50-year history as a field, we are just getting started and can’t predict where the next “sense of wonder” opportunities might come from, but we still have to publicize them. Further, the community has to continue to do outreach on the value of computing to the press and high-school guidance counselors.

His slides have much more detail on each of these points and hopefully will be on CRA’s website soon. For more information on the Snowbird conference and other presentations see:

USACM is the U.S. Public Policy Committee of the Association for Computing Machinery (ACM). ACM is an educational and scientific society uniting the world’s computing educators, researchers and professionals to inspire dialogue, share resources and address the field’s challenges. ACM strengthens the profession’s collective voice through strong leadership, promotion of the highest standards, and recognition of technical excellence. ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional networking.